Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL_AWB 65335643399___pdf.exe

Overview

General Information

Sample Name:DHL_AWB 65335643399___pdf.exe
Analysis ID:516538
MD5:52ef260ef62aae29914f40cb8eaed7ac
SHA1:cba71c49ae1c145c6e9210685be42f4aa24b0e18
SHA256:752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
Tags:exehawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Detected HawkEye Rat
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL_AWB 65335643399___pdf.exe (PID: 6536 cmdline: "C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe" MD5: 52EF260EF62AAE29914F40CB8EAED7AC)
    • schtasks.exe (PID: 6980 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL_AWB 65335643399___pdf.exe (PID: 6996 cmdline: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe MD5: 52EF260EF62AAE29914F40CB8EAED7AC)
      • vbc.exe (PID: 7116 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6436 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6452 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6740 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6756 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x87a2e:$s1: HawkEye Keylogger
    • 0x87a97:$s1: HawkEye Keylogger
    • 0x80e71:$s2: _ScreenshotLogger
    • 0x80e3e:$s3: _PasswordStealer
    00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x147b0:$a1: logins.json
      • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x14f34:$s4: \mozsqlite3.dll
      • 0x137a4:$s5: SMTP Password
      0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 65 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x87c2e:$s1: HawkEye Keylogger
        • 0x87c97:$s1: HawkEye Keylogger
        • 0x81071:$s2: _ScreenshotLogger
        • 0x8103e:$s3: _PasswordStealer
        7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
        • 0x87601:$name: ConfuserEx
        • 0x8630e:$compile: AssemblyTitle
        7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackHawkEyev9HawkEye v9 Payloadditekshen
          • 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
          • 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
          • 0x8103e:$str1: _PasswordStealer
          • 0x8104f:$str2: _KeyStrokeLogger
          • 0x81071:$str3: _ScreenshotLogger
          • 0x81060:$str4: _ClipboardLogger
          • 0x81083:$str5: _WebCamLogger
          • 0x81198:$str6: _AntiVirusKiller
          • 0x81186:$str7: _ProcessElevation
          • 0x8114d:$str8: _DisableCommandPrompt
          • 0x81253:$str9: _WebsiteBlocker
          • 0x81263:$str9: _WebsiteBlocker
          • 0x81139:$str10: _DisableTaskManager
          • 0x811b4:$str11: _AntiDebugger
          • 0x8123e:$str12: _WebsiteVisitorSites
          • 0x81163:$str13: _DisableRegEdit
          • 0x811c2:$str14: _ExecutionDelay
          • 0x810e7:$str15: _InstallStartupPersistance
          27.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          Click to see the 143 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe, ParentProcessId: 6536, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp, ProcessId: 6980

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: DHL_AWB 65335643399___pdf.exeVirustotal: Detection: 26%Perma Link
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 4x nop then jmp 07FABE90h
          Source: vbc.exe, 00000008.00000002.409730528.00000000022B0000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.425367759.0000000002240000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000008.00000002.409730528.00000000022B0000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.425367759.0000000002240000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: vbc.exe, 00000011.00000002.458547600.0000000002100000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginZU equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000011.00000002.458547600.0000000002100000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginZU equals www.yahoo.com (Yahoo)
          Source: vbc.exe, 0000000D.00000002.439941703.0000000000A40000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginn equals www.facebook.com (Facebook)
          Source: vbc.exe, 0000000D.00000002.439941703.0000000000A40000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginn equals www.yahoo.com (Yahoo)
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.336476043.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://en.w)
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.336076136.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.336007214.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com/
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://google.com/chrome
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0:
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0B
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0E
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0F
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0K
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0M
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0R
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.pki.goog/gsr202
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.349234388.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341657296.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341284538.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.340178685.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comR
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comc
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comces
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcy
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339422429.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339531363.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint8
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339531363.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uN
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339720163.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343215254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/R
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344674691.0000000005D7E000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344539855.0000000005D7E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344003681.0000000005D7E000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344241564.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlftwr
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343041958.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/n
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343959639.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343510616.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344688385.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343510616.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersA
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.345148561.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.349140893.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343118651.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344688385.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersm
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343215254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343118651.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersw
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384884031.0000000001527000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com=
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384884031.0000000001527000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoaj%(-
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338190350.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338273494.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338395162.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/L
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnR
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnark&
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338273494.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnomp
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.347670969.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.346985285.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmg
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338067194.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342647297.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.346508093.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.0
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/
          Source: vbc.exe, 00000008.00000003.403942068.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455444203.00000000020E4000.00000004.00000001.sdmp, bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
          Source: bhv7E75.tmp.13.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
          Source: vbc.exe, 00000008.00000002.406829834.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.424903467.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.439426621.000000000019C000.00000004.00000001.sdmp, vbc.exe, 00000011.00000002.457922865.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
          Source: vbc.exe, 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.334804967.0000000005D42000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.334804967.0000000005D42000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341087174.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comR
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337803826.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr=
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-ea
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krgra
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlu
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338672489.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.6
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.340105341.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comE
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338749105.000000000152C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comXh
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338638321.0000000005D5B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn-u4
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342932704.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.345202768.0000000005D68000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342932704.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deC
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342826199.0000000005D63000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFos
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339058782.0000000005D60000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-f
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
          Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, bhv7E75.tmp.13.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
          Source: vbc.exe, 00000008.00000003.403565944.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454535819.00000000020ED000.00000004.00000001.sdmp, bhv7E75.tmp.13.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
          Source: vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: vbc.exe, 00000008.00000003.403565944.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454535819.00000000020ED000.00000004.00000001.sdmp, bhv7E75.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://pki.goog/repository/0
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.digicert.com/CPS0
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/
          Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
          Source: vbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403993310.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403428748.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403352721.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403250563.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422786505.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422243341.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422112434.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422184852.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436819908.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436279584.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436354749.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436415474.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
          Source: vbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.404030985.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403320580.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422167377.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436340701.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
          Source: bhv7E75.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeWindow created: window name: CLIPBRDWNDCLASS
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 27.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 27.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 27.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 27.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 27.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 27.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 27.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 27.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_0150EBD8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_0150EBCB
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_0150BF7C
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA63A0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA6391
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA0352
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA0040
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FA0006
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921390
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029250B0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029210E8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02927003
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02922068
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029204D8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029238E6
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02929918
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02922ECD
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02929F78
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02920C48
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02927208
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923250
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921381
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02922059
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02924178
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02924168
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029236D8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029236E8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029287B0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029217D4
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_0292174D
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029205A6
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029205ED
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02924519
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_0292053B
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02924528
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02920562
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923567
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923568
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923AAA
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923ADD
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923A02
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923A77
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921BB9
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02920BA8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923BCE
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923BF1
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923B1E
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923B60
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02925880
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029248D0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029218FB
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029248E0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02927850
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02925870
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02927860
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923981
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029239D7
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029219F6
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029229F8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_029229E9
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_0292990A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921E95
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923E1A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02928E20
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923E75
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921C83
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921CBA
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923C1D
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923C73
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923DA0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923DDD
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02923D40
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_02921D6F
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E4430
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E0778
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E4680
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E0EA8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E6EE8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E14DD
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E1415
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E1295
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058ED920
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E4671
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E6EC1
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E4928
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E170B
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E1667
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E7107
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E1134
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058EF16C
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E1174
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E7031
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E12D5
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E125A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E3DA0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E3DF0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E3AAC
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E3AB0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F4310
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F62B8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F4C00
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058FFBC0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F9080
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F9090
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058FC2B8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058FC2C8
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F3FC0
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F8B60
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058F8B70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0044900F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004042EB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00414281
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00410291
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004063BB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415624
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0041668D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040477F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040487C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043589B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043BA9D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043FBD3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0044900F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_004042EB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00414281
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00410291
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_004063BB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00415624
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0041668D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040477F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040487C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0043589B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0043BA9D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0043FBD3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044465C appears 36 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044466E appears 40 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 68 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 72 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 72 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 132 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0042F6EF appears 32 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 174 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 64 times
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 7_2_058E1398 NtUnmapViewOfSection,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
          Source: DHL_AWB 65335643399___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384048080.0000000000AD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameX509Constan.exe4 vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.602565955.0000000000B58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382825709.00000000006F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameX509Constan.exe4 vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exeBinary or memory string: OriginalFilenameX509Constan.exe4 vs DHL_AWB 65335643399___pdf.exe
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NbJgZAsv.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: DHL_AWB 65335643399___pdf.exeVirustotal: Detection: 26%
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile read: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeJump to behavior
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe "C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe"
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile created: C:\Users\user\AppData\Roaming\NbJgZAsv.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBB4.tmpJump to behavior
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@16/13@0/1
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,
          Source: DHL_AWB 65335643399___pdf.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMutant created: \Sessions\1\BaseNamedObjects\LcfvXkhsWmtOAyNmKljqjUzj
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: DHL_AWB 65335643399___pdf.exe, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: NbJgZAsv.exe.0.dr, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs.Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeCode function: 0_2_07FABB53 push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444975 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444B90 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444B90 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00448E74 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0042CF44 push ebx; retf 0042h
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00444975 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00444B90 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00444B90 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00448E74 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0042CF44 push ebx; retf 0042h
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: DHL_AWB 65335643399___pdf.exeStatic PE information: 0xBAAB9656 [Fri Mar 29 18:28:38 2069 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.57987288124
          Source: initial sampleStatic PE information: section name: .text entropy: 7.57987288124
          Source: DHL_AWB 65335643399___pdf.exe, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: DHL_AWB 65335643399___pdf.exe, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: DHL_AWB 65335643399___pdf.exe, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: DHL_AWB 65335643399___pdf.exe, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: NbJgZAsv.exe.0.dr, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: NbJgZAsv.exe.0.dr, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: NbJgZAsv.exe.0.dr, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: NbJgZAsv.exe.0.dr, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.csHigh entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.csHigh entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.csHigh entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.csHigh entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeFile created: C:\Users\user\AppData\Roaming\NbJgZAsv.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.2e32b8c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 6540Thread sleep time: -32392s >= -30000s
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 6580Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 7076Thread sleep count: 138 > 30
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 7076Thread sleep time: -138000s >= -30000s
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 6292Thread sleep time: -345600000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 172800000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0041829C memset,GetSystemInfo,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 32392
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeThread delayed: delay time: 172800000
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: bhv7E75.tmp.13.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20211105T222051Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=acb40644ee59409e84e67afcd8be5637&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1241428&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1241428&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 269008
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3FE008
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 242008
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 267008
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 220008
          .NET source code references suspicious native API functionsShow sources
          Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604722336.0000000002B87000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004083A1 GetVersionExW,
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avguard.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avp.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgui.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: mbam.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected MailPassViewShow sources
          Source: Yara matchFile source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606069695.0000000002CBB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6756, type: MEMORYSTR
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Yara detected WebBrowserPassView password recovery toolShow sources
          Source: Yara matchFile source: 17.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604722336.0000000002B87000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604997751.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604881484.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.458049589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.439502988.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.443122582.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.414637682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.414189798.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.394234087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.413703386.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.393712124.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.394776440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.429569305.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.428434291.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.445590834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.443616731.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.428849255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6452, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6740, type: MEMORYSTR
          Tries to steal Instant Messenger accounts or passwordsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
          Detected HawkEye RatShow sources
          Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation111Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsNative API11Scheduled Task/Job1Process Injection412Deobfuscate/Decode Files or Information11Credentials in Registry1File and Directory Discovery2Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information4Credentials In Files1System Information Discovery19SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery231Distributed Component Object ModelClipboard Data2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection412Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 516538 Sample: DHL_AWB 65335643399___pdf.exe Startdate: 05/11/2021 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Detected HawkEye Rat 2->46 48 11 other signatures 2->48 7 DHL_AWB 65335643399___pdf.exe 7 2->7         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\tmpBB4.tmp, XML 7->28 dropped 30 C:\...\DHL_AWB 65335643399___pdf.exe.log, ASCII 7->30 dropped 32 C:\Users\user\AppData\Roaming32bJgZAsv.exe, PE32 7->32 dropped 50 Injects a PE file into a foreign processes 7->50 11 DHL_AWB 65335643399___pdf.exe 8 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 34 192.168.2.1 unknown unknown 11->34 52 Writes to foreign memory regions 11->52 54 Allocates memory in foreign processes 11->54 56 Sample uses process hollowing technique 11->56 58 Injects a PE file into a foreign processes 11->58 17 vbc.exe 11->17         started        20 vbc.exe 1 11->20         started        22 vbc.exe 1 11->22         started        26 2 other processes 11->26 24 conhost.exe 15->24         started        signatures8 process9 signatures10 36 Tries to steal Instant Messenger accounts or passwords 17->36 38 Tries to steal Mail credentials (via file / registry access) 17->38 40 Tries to harvest and steal browser information (history, passwords, etc) 20->40

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL_AWB 65335643399___pdf.exe27%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          17.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1125438Download File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack100%AviraTR/Dropper.GenDownload File
          13.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
          8.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1125438Download File
          8.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1125438Download File
          7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          12.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1125438Download File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack100%AviraTR/Dropper.GenDownload File
          12.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1125438Download File
          13.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1125438Download File
          7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack100%AviraTR/Dropper.GenDownload File
          17.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1125438Download File
          8.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
          17.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1125438Download File
          12.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.fontbureau.comoaj%(-0%Avira URL Cloudsafe
          https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
          https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
          http://www.zhongyicts.com.cnr-f0%Avira URL Cloudsafe
          http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.founder.com.cn/cnomp0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.sandoll.co.kr=0%Avira URL Cloudsafe
          http://www.carterandcone.comc0%URL Reputationsafe
          https://pki.goog/repository/00%URL Reputationsafe
          https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.monotype.00%Avira URL Cloudsafe
          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
          http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.carterandcone.com.0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htmg0%Avira URL Cloudsafe
          http://www.carterandcone.comR0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt0%URL Reputationsafe
          http://pomf.cat/upload.php0%Avira URL Cloudsafe
          https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.monotype.0%URL Reputationsafe
          http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg0%URL Reputationsafe
          http://www.carterandcone.comces0%URL Reputationsafe
          http://www.tiro.comn-u40%Avira URL Cloudsafe
          http://www.carterandcone.comen0%URL Reputationsafe
          http://www.tiro.comE0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          https://a.pomf.cat/0%Avira URL Cloudsafe
          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
          http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.fontbureau.comoaj%(-DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384884031.0000000001527000.00000004.00000040.sdmpfalse
          • Avira URL Cloud: safe
          		low
          https://www.google.com/chrome/static/css/main.v2.min.cssbhv7E75.tmp.13.drfalse
            		high
            http://www.msn.combhv7E75.tmp.13.drfalse
              		high
              http://www.fontbureau.com/designersDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                		high
                http://www.nirsoft.netvbc.exe, 00000008.00000002.406829834.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.424903467.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.439426621.000000000019C000.00000004.00000001.sdmp, vbc.exe, 00000011.00000002.457922865.000000000019C000.00000004.00000001.sdmpfalse
                  		high
                  https://deff.nelreports.net/api/report?cat=msnbhv7E75.tmp.13.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://contextual.media.net/__media__/js/util/nrrV9140.jsbhv7E75.tmp.13.drfalse
                    		high
                    https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhv7E75.tmp.13.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnr-fDHL_AWB 65335643399___pdf.exe, 00000000.00000003.339058782.0000000005D60000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhv7E75.tmp.13.drfalse
                      		high
                      https://www.google.com/chrome/bhv7E75.tmp.13.drfalse
                        		high
                        http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Zbhv7E75.tmp.13.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cnompDHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cnDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmpfalse
                            		high
                            http://www.carterandcone.como.DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339720163.0000000005D5B000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.kr=DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337803826.0000000005D5B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=vbc.exe, 00000008.00000003.403565944.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454535819.00000000020ED000.00000004.00000001.sdmp, bhv7E75.tmp.13.drfalse
                              		high
                              https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhv7E75.tmp.13.drfalse
                                		high
                                http://www.carterandcone.comcDHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhv7E75.tmp.13.drfalse
                                  		high
                                  https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhv7E75.tmp.13.drfalse
                                    		high
                                    https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindexvbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403993310.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403428748.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403352721.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403250563.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422786505.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422243341.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422112434.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422184852.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436819908.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436279584.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436354749.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436415474.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhv7E75.tmp.13.drfalse
                                        		high
                                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gbhv7E75.tmp.13.drfalse
                                          		high
                                          https://pki.goog/repository/0bhv7E75.tmp.13.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhv7E75.tmp.13.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msnbhv7E75.tmp.13.drfalse
                                            		high
                                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736bhv7E75.tmp.13.drfalse
                                              		high
                                              http://www.carterandcone.comlDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339531363.0000000005D5B000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.msn.com/bhv7E75.tmp.13.drfalse
                                                		high
                                                http://www.monotype.0DHL_AWB 65335643399___pdf.exe, 00000000.00000003.346508093.0000000005D5B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhv7E75.tmp.13.drfalse
                                                  		high
                                                  https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhv7E75.tmp.13.drfalse
                                                    		high
                                                    https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9bhv7E75.tmp.13.drfalse
                                                      		high
                                                      https://www.google.com/accounts/serviceloginvbc.exefalse
                                                        		high
                                                        http://crl.pki.goog/gsr2/gsr2.crl0?bhv7E75.tmp.13.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://pki.goog/gsr2/GTSGIAG3.crt0)bhv7E75.tmp.13.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhv7E75.tmp.13.drfalse
                                                          		high
                                                          https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/vbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.404030985.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403320580.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422167377.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436340701.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/bTheDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.google.com/chrome/static/images/homepage/google-canary.pngbhv7E75.tmp.13.drfalse
                                                              		high
                                                              https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhv7E75.tmp.13.drfalse
                                                                		high
                                                                https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv7E75.tmp.13.drfalse
                                                                  		high
                                                                  https://www.google.com/chrome/static/js/main.v2.min.jsbhv7E75.tmp.13.drfalse
                                                                    		high
                                                                    https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpgbhv7E75.tmp.13.drfalse
                                                                      		high
                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhv7E75.tmp.13.drfalse
                                                                        		high
                                                                        http://www.carterandcone.com.DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.typography.netDDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://fontfabrik.comDHL_AWB 65335643399___pdf.exe, 00000000.00000003.336076136.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhv7E75.tmp.13.drfalse
                                                                          		high
                                                                          https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhv7E75.tmp.13.drfalse
                                                                            		high
                                                                            http://www.galapagosdesign.com/staff/dennis.htmgDHL_AWB 65335643399___pdf.exe, 00000000.00000003.346985285.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.carterandcone.comRDHL_AWB 65335643399___pdf.exe, 00000000.00000003.340178685.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEEbhv7E75.tmp.13.drfalse
                                                                              		high
                                                                              http://www.fonts.comDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.sandoll.co.krDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0bhv7E75.tmp.13.drfalse
                                                                                  		high
                                                                                  http://www.urwpp.deDHL_AWB 65335643399___pdf.exe, 00000000.00000003.342932704.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.345202768.0000000005D68000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtbhv7E75.tmp.13.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://pomf.cat/upload.phpDHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.google.com/chrome/static/js/installer.min.jsbhv7E75.tmp.13.drfalse
                                                                                    		high
                                                                                    https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhv7E75.tmp.13.drfalse
                                                                                      		high
                                                                                      http://bot.whatismyipaddress.com/DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv7E75.tmp.13.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.google.com/chrome/static/images/homepage/google-beta.pngbhv7E75.tmp.13.drfalse
                                                                                          		high
                                                                                          http://www.msn.com/de-ch/?ocid=iehpbhv7E75.tmp.13.drfalse
                                                                                            		high
                                                                                            https://www.google.com/chrome/static/images/icon-file-download.svgbhv7E75.tmp.13.drfalse
                                                                                              		high
                                                                                              http://www.fontbureau.com/designers/cabarga.htmlNDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.founder.com.cn/cnDHL_AWB 65335643399___pdf.exe, 00000000.00000003.338190350.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338273494.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.fontbureau.com/designers/cabarga.htmlDHL_AWB 65335643399___pdf.exe, 00000000.00000003.344674691.0000000005D7E000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344539855.0000000005D7E000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.monotype.DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342647297.0000000005D63000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhv7E75.tmp.13.drfalse
                                                                                                    		high
                                                                                                    https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9bhv7E75.tmp.13.drfalse
                                                                                                      		high
                                                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhv7E75.tmp.13.drfalse
                                                                                                        		high
                                                                                                        http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svgbhv7E75.tmp.13.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhv7E75.tmp.13.drfalse
                                                                                                          		high
                                                                                                          http://www.carterandcone.comcesDHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://www.google.com/chrome/static/images/folder-applications.svgbhv7E75.tmp.13.drfalse
                                                                                                            		high
                                                                                                            http://www.tiro.comn-u4DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338638321.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhv7E75.tmp.13.drfalse
                                                                                                              		high
                                                                                                              http://www.carterandcone.comenDHL_AWB 65335643399___pdf.exe, 00000000.00000003.339422429.0000000005D60000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://google.com/chromebhv7E75.tmp.13.drfalse
                                                                                                                		high
                                                                                                                https://www.google.com/chrome/static/images/chrome-logo.svgbhv7E75.tmp.13.drfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/chrome/static/images/homepage/homepage_features.pngbhv7E75.tmp.13.drfalse
                                                                                                                    		high
                                                                                                                    http://www.tiro.comEDHL_AWB 65335643399___pdf.exe, 00000000.00000003.340105341.0000000005D5B000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.sajatypeworks.comDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.334804967.0000000005D42000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.founder.com.cn/cn/cTheDHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://a.pomf.cat/DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fbhv7E75.tmp.13.drfalse
                                                                                                                      		high
                                                                                                                      https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.pngbhv7E75.tmp.13.drfalse
                                                                                                                        		high
                                                                                                                        https://www.google.com/chrome/static/images/chrome_safari-behavior.jpgbhv7E75.tmp.13.drfalse
                                                                                                                          		high
                                                                                                                          http://www.msn.com/?ocid=iehpvbc.exe, 00000008.00000003.403942068.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455444203.00000000020E4000.00000004.00000001.sdmp, bhv7E75.tmp.13.drfalse
                                                                                                                            		high
                                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3bhv7E75.tmp.13.drfalse
                                                                                                                              		high
                                                                                                                              http://crl.pki.goog/GTS1O1core.crl0bhv7E75.tmp.13.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9bhv7E75.tmp.13.drfalse
                                                                                                                                		high
                                                                                                                                http://www.ascendercorp.com/typedesigners.htmlDHL_AWB 65335643399___pdf.exe, 00000000.00000003.341657296.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341284538.0000000005D63000.00000004.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://www.google.com/chrome/static/images/icon-announcement.svgbhv7E75.tmp.13.drfalse
                                                                                                                                  		high

                                                                                                                                  Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious

                                                                                                                                  Private

                                                                                                                                  IP
                                                                                                                                  192.168.2.1

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                  Analysis ID:516538
                                                                                                                                  Start date:05.11.2021
                                                                                                                                  Start time:15:20:12
                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 12m 54s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:light
                                                                                                                                  Sample file name:DHL_AWB 65335643399___pdf.exe
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                  Number of analysed new started processes analysed:29
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • HDC enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.phis.troj.spyw.evad.winEXE@16/13@0/1
                                                                                                                                  EGA Information:Failed
                                                                                                                                  HDC Information:
                                                                                                                                  • Successful, ratio: 0% (good quality ratio 0%)
                                                                                                                                  • Quality average: 77%
                                                                                                                                  • Quality standard deviation: 0%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                  • Number of executed functions: 0
                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Adjust boot time
                                                                                                                                  • Enable AMSI
                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                  Warnings:
                                                                                                                                  Show All
                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.107.43.16, 13.107.5.88
                                                                                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, arc.msn.com, ris.api.iris.microsoft.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, l-0007.dc-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  15:21:14API Interceptor5x Sleep call for process: DHL_AWB 65335643399___pdf.exe modified

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  No context

                                                                                                                                  Domains

                                                                                                                                  No context

                                                                                                                                  ASN

                                                                                                                                  No context

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  No context

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_AWB 65335643399___pdf.exe.log
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:modified
                                                                                                                                  Size (bytes):1216
                                                                                                                                  Entropy (8bit):5.355304211458859
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                  Malicious:true
                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                  C:\Users\user\AppData\Local\Temp\49b65733-2a7e-be56-685e-64260949479e
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):88
                                                                                                                                  Entropy (8bit):5.403819652846604
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Bpx9cCPOERwhkNvW0sKtKWBeNODnS501:Bpx939R/NvW0s1e
                                                                                                                                  MD5:9875EC0B7EB8D451315F9F1326AAEB67
                                                                                                                                  SHA1:E9871048F796D66A9E291BEAC8C22F2E5AA4C17F
                                                                                                                                  SHA-256:202ACD4716CF06B8A7E34DB56034BC4AD82E3BF3C7E3C3CF315E5F87BB5EF8B9
                                                                                                                                  SHA-512:406CBB37B4FB90E1154ECFF01B345915F12D22FD7E19E65DB7A7B961075B01D3014A4BC7B19F2BAEE0FFB565FE1A1A8A3258E21D5718B4FFD65FAB9DFBC4A3FC
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: GTXq6lZGCzVwlrIPDHEkHKLHTDwQ+W9qskpK9EEOMzECcgwr6lRJ0INBTQI/Ho3Cwgm7UnZunhkwo8Y4g7/03Q==
                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv3F87.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0xf6c62795, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26738688
                                                                                                                                  Entropy (8bit):0.877811164040784
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:5M+wP17f2sBMPHihgmKdTnjVccgeTaNX:9sBoT
                                                                                                                                  MD5:C7282CEAA3E3B01987F67DA5BF529677
                                                                                                                                  SHA1:A5D3B18A538855FEF53FA6D0F5BCD31131A5C916
                                                                                                                                  SHA-256:AE7D3AEFA17E7DFE40E329BA1E110383E1D7D6CFC29BD5D0489984295C7DB1EA
                                                                                                                                  SHA-512:D1E01AF046CC07D75DB0983B32B320EE11F4CD2CFCF332355C84B569BD38AFD3ADA4C77F73FFD5366A07433EEED0675AC71D2FE861FF69961BEF4A7C34D5A17E
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: ..'.... .......p........Ef..4...w........................%.....2....y..3....y..h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............yW......................................................................................................................................................................................................................................\5......y#q................%........yC.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv6484.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0x3860e4e7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26738688
                                                                                                                                  Entropy (8bit):0.882512226797484
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:3A+wP17f2svMPHihgmKdTnjVccgeTaNX:fsvoT
                                                                                                                                  MD5:57F8E33FDE23B8D15313B3B5EB91BF92
                                                                                                                                  SHA1:D6F6B34363DCE4E667B91E369AC32E5D0E8ABA9C
                                                                                                                                  SHA-256:6E110E32E80B10B430E18680289C39CB652090C9F09CD73ADB87534F9AAEE1C6
                                                                                                                                  SHA-512:C258DD9D1F84947D67C45EEAF40715A384A78A74E014D86209B78CD1121A957FF0BD618277529033D5E96C6289A69A3EC49C1B0D35A176283B27C76B8ED2D222
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: 8`..... .......p........Ef..4...w........................%.....2....y..3....y..h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............yW........................................................................................................................................................................................................................................N)....yC{...................V(....yc.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv7E75.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0x3860e4e7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26738688
                                                                                                                                  Entropy (8bit):0.882512226797484
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:3A+wP17f2svMPHihgmKdTnjVccgeTaNX:fsvoT
                                                                                                                                  MD5:57F8E33FDE23B8D15313B3B5EB91BF92
                                                                                                                                  SHA1:D6F6B34363DCE4E667B91E369AC32E5D0E8ABA9C
                                                                                                                                  SHA-256:6E110E32E80B10B430E18680289C39CB652090C9F09CD73ADB87534F9AAEE1C6
                                                                                                                                  SHA-512:C258DD9D1F84947D67C45EEAF40715A384A78A74E014D86209B78CD1121A957FF0BD618277529033D5E96C6289A69A3EC49C1B0D35A176283B27C76B8ED2D222
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: 8`..... .......p........Ef..4...w........................%.....2....y..3....y..h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............yW........................................................................................................................................................................................................................................N)....yC{...................V(....yc.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhvA016.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0x3860e4e7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26738688
                                                                                                                                  Entropy (8bit):0.882512226797484
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24576:3A+wP17f2svMPHihgmKdTnjVccgeTaNX:fsvoT
                                                                                                                                  MD5:57F8E33FDE23B8D15313B3B5EB91BF92
                                                                                                                                  SHA1:D6F6B34363DCE4E667B91E369AC32E5D0E8ABA9C
                                                                                                                                  SHA-256:6E110E32E80B10B430E18680289C39CB652090C9F09CD73ADB87534F9AAEE1C6
                                                                                                                                  SHA-512:C258DD9D1F84947D67C45EEAF40715A384A78A74E014D86209B78CD1121A957FF0BD618277529033D5E96C6289A69A3EC49C1B0D35A176283B27C76B8ED2D222
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: 8`..... .......p........Ef..4...w........................%.....2....y..3....y..h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............yW........................................................................................................................................................................................................................................N)....yC{...................V(....yc.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmp2427.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2
                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2
                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2
                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1653
                                                                                                                                  Entropy (8bit):5.161745901057222
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:7905247879184C91276AA846224B68E9
                                                                                                                                  SHA1:3F24CBA6359007C884F0DBAB1E66ADB90E3D5AA5
                                                                                                                                  SHA-256:1380B534164A7193F9DAF1ACD1614B2533BF67005D9DD7D4E1E08BE825A0A78B
                                                                                                                                  SHA-512:A303D15C69C7D7429E5876E02F0370B1C9BA2DA4DD807ABDE8F363B382ED55C93DBE81624CF693DA294F7120F7D6735CC475D704F19F9662550A9A52E765B4FF
                                                                                                                                  Malicious:true
                                                                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmpF619.tmp
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2
                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..
                                                                                                                                  C:\Users\user\AppData\Roaming\NbJgZAsv.exe
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):897024
                                                                                                                                  Entropy (8bit):7.575754263243903
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:52EF260EF62AAE29914F40CB8EAED7AC
                                                                                                                                  SHA1:CBA71C49AE1C145C6E9210685BE42F4AA24B0E18
                                                                                                                                  SHA-256:752EFE9AD078A9BE4A82B6F7C2123D58C90A1456287390B50DF9E9C3292BC490
                                                                                                                                  SHA-512:728F4B4590909C13A1CD9D0DDD90A6C75FDAD830ED44EDE67A1EB0CBD59476760507511E2F42D38545ABF11E3B08D85E95E8F04962094E012956D061E82425AE
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V...............................~.... ........@.. ....................................@.................................0...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........{...E...........................................................0..9.......+.&.........%..#.o...........%.r...p.%.r/..p.%....8.....*...B+.&.+.&..(.....*....+.&..*..+.&..*.^+.&...(....(!...("....*^+.&..(%....(....o.....*.0..........+.&.+.&. ....8o......(.......{.....(.......{.....(......s....}....8....& ....8/....rI..p}.... .....9....&.(&...8.... ............E........l...............-.......u... .....:....&..}....($...(#...9....& ....8......{.....{.....{....o....u....
                                                                                                                                  C:\Users\user\AppData\Roaming\NbJgZAsv.exe:Zone.Identifier
                                                                                                                                  Process:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26
                                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:
                                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: [ZoneTransfer]....ZoneId=0

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Entropy (8bit):7.575754263243903
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                  File name:DHL_AWB 65335643399___pdf.exe
                                                                                                                                  File size:897024
                                                                                                                                  MD5:52ef260ef62aae29914f40cb8eaed7ac
                                                                                                                                  SHA1:cba71c49ae1c145c6e9210685be42f4aa24b0e18
                                                                                                                                  SHA256:752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
                                                                                                                                  SHA512:728f4b4590909c13a1cd9d0ddd90a6c75fdad830ed44ede67a1eb0cbd59476760507511e2f42d38545abf11e3b08d85e95e8f04962094e012956d061e82425ae
                                                                                                                                  SSDEEP:24576:7HnOzw59zsorf4ep5TIAAkYc8xmGgTp5UVNH19:KITMepFYPxmjUVNV
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V...............................~.... ........@.. ....................................@................................

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x4db87e
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                  Time Stamp:0xBAAB9656 [Fri Mar 29 18:28:38 2069 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                                  OS Version Major:4
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:4
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:4
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xdb8300x4b.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x10ec.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x20000xd98840xd9a00False0.804097411689data7.57987288124IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rsrc0xdc0000x10ec0x1200False0.377170138889data4.90557056462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .reloc0xde0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                  RT_VERSION0xdc0a00x324data
                                                                                                                                  RT_MANIFEST0xdc3c40xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                                  Version Infos

                                                                                                                                  DescriptionData
                                                                                                                                  Translation0x0000 0x04b0
                                                                                                                                  LegalCopyrightCopyright 2020
                                                                                                                                  Assembly Version1.0.0.0
                                                                                                                                  InternalNameX509Constan.exe
                                                                                                                                  FileVersion1.0.0.0
                                                                                                                                  CompanyName
                                                                                                                                  LegalTrademarks
                                                                                                                                  Comments
                                                                                                                                  ProductNameMyNoteApp
                                                                                                                                  ProductVersion1.0.0.0
                                                                                                                                  FileDescriptionMyNoteApp
                                                                                                                                  OriginalFilenameX509Constan.exe

                                                                                                                                  Network Behavior

                                                                                                                                  No network behavior found

                                                                                                                                  Code Manipulations

                                                                                                                                  Statistics

                                                                                                                                  Behavior

                                                                                                                                  Click to jump to process

                                                                                                                                  System Behavior

                                                                                                                                  Analysis Process: DHL_AWB 65335643399___pdf.exe PID: 6536 Parent PID: 1344

                                                                                                                                  General

                                                                                                                                  Start time:15:21:04
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe"
                                                                                                                                  Imagebase:0xad0000
                                                                                                                                  File size:897024 bytes
                                                                                                                                  MD5 hash:52EF260EF62AAE29914F40CB8EAED7AC
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:low

                                                                                                                                  Analysis Process: schtasks.exe PID: 6980 Parent PID: 6536

                                                                                                                                  General

                                                                                                                                  Start time:15:21:25
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
                                                                                                                                  Imagebase:0x1240000
                                                                                                                                  File size:185856 bytes
                                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: conhost.exe PID: 6988 Parent PID: 6980

                                                                                                                                  General

                                                                                                                                  Start time:15:21:26
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff61de10000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: DHL_AWB 65335643399___pdf.exe PID: 6996 Parent PID: 6536

                                                                                                                                  General

                                                                                                                                  Start time:15:21:26
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
                                                                                                                                  Imagebase:0x6f0000
                                                                                                                                  File size:897024 bytes
                                                                                                                                  MD5 hash:52EF260EF62AAE29914F40CB8EAED7AC
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.604722336.0000000002B87000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.604997751.0000000002C11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.604881484.0000000002BE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.606069695.0000000002CBB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:low

                                                                                                                                  Analysis Process: vbc.exe PID: 7116 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:21:31
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.394234087.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.393712124.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.394776440.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: vbc.exe PID: 6436 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:21:41
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000000.414637682.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000000.414189798.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000000.413703386.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: vbc.exe PID: 6452 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:21:48
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.439502988.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.429569305.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.428434291.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.428849255.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: vbc.exe PID: 6740 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:21:55
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000002.458049589.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000000.443122582.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000000.445590834.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000011.00000000.443616731.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: vbc.exe PID: 6756 Parent PID: 6996

                                                                                                                                  General

                                                                                                                                  Start time:15:23:00
                                                                                                                                  Start date:05/11/2021
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1171592 bytes
                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Disassembly

                                                                                                                                  Code Analysis

                                                                                                                                  Reset < >